Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4389 Security Bulletin: IBM Maximo Asset Management is vulnerable to Privilege Escalation (CVE-2019-4530) 20 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Maximo Asset Management Publisher: IBM Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Delete Arbitrary Files -- Existing Account Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-4530 Original Bulletin: https://www.ibm.com/support/pages/node/1108503 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Maximo Asset Management is vulnerable to Privilege Escalation (CVE-2019-4530) Security Bulletin Summary IBM Maximo Asset Management could allow an authenticated user to delete a record that they should not normally be able to. Vulnerability Details CVEID: CVE-2019-4530 DESCRIPTION: IBM Maximo Asset Management could allow an authenticated user to delete a record that they should not normally be able to. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 165586 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +---------------------------+----------+ |Affected Product(s) |Version(s)| +---------------------------+----------+ |IBM Maximo Asset Management|7.6.0 | +---------------------------+----------+ |IBM Maximo Asset Management|7.6.1 | +---------------------------+----------+ |IBM Maximo Asset Management|7.6.1.1 | +---------------------------+----------+ Remediation/Fixes Please refer to Workarounds and Mitigations Workarounds and Mitigations The MXAPIPWODETAIL object structure provides information on work order records in Maximo. While work center users need access to read, insert, and save work orders using this object structure, they do not need access to delete work orders. The APAR fix removes the DELETE authorization for the MXAPIWODETAIL object structure from the TECHNICIAN and SUPERVISOR templates. While this fix ensures that incorrect access settings are not applied to any future groups, it does not revoke the existing delete access that was previously granted by the templates. You must remove access to the DELETE authorization in the MXAPIWODETAIL object structure for all groups that are linked to either the SUPERVISOR or TECHNICIAN templates. To remove the existing delete access, perform the following steps for each group that is linked to either the SUPERVISOR or TECHNICIAN templates: 1. Open the Security Groups application. 2. Find the group that is linked to either the SUPERVISOR or TECHNICIAN templates and open it. 3. Click the Object Structures tab. 4. In the Object Structures table, find the MXAPIWODETAIL row and select it. 5. In the options table, uncheck the Grant Access check box for only the Delete MXAPIWODETAIL option. 6. Save the record. In versions of Maximo Asset Management prior to 7.6.1.2, you must also update the TECHNICIAN and SUPERVISOR templates to remove the DELETE authorization for the MXAPIWODETAIL object structure. However, you cannot modify out-of-the-box templates by using the user interface. You must execute the following database statement to remove the delete access: delete from wctemplateauth where app = 'MXAPIWODETAIL' and workcenter in ('TECHNICIAN','SUPERVISOR') and template in ('TECHNICIAN','SUPERVISOR') and optionname='DELETE'; Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXdTDKWaOgq3Tt24GAQimnhAAjKaxgvbNi15xzjlNh+fkMwnDUtD1bIaf JQrt2nQTh5eryN77sKejLvESJTw32crr1sWKDPTAyeLEPE4KyYf5qTuJFd0l9rjS X5QwssGufGCAsnJr/8nAqv9iUMW7BuTmoNE9BjUMSMaM9WKaPvhf2xgO7kGH0c6m h0qqe9qLhQXsAdFP2gDSRY0N1eirXCWQC74RFduBYc3EQAnV0NHyLREiQYrs2za8 pIc/XZ9XR0l64ziH5fhCFglE8RB/VAUMzZ+4bQYj3dhUt7wlZcjjb+mRGuXUpYsT +Mu9BxKZCiU2aFg2ZvsFAt0zZydUixAA1kq1ud1Tx4RtCIEDxjnzmxclxCeGj37q 6dZTRPDKMhH+eEYIhdjqhWs56nIO3zm4GHx9JQp+0CWCayJvSGheB7l3/QCX9YhX VVfgO4sFTCgumRjGi2DJlWE2TfGov6ioPLROZk+84YBpVUIPE1Ni67C15Bq8BqqR kxYxP0dDS3yL8n44pwMg1nbBVHkPc3CXUkfDnH60gYXdQjBlZbEcGlGKrQT5lIas Y1xrgTQiUOZM69LevmOn9yvCdZ7mISVmi3GnKBqEo6Oi33t2R9AF6JLmTNmxGdbg qgrrz6/HXTYH60GOuyXAAjDuphsqyij/wklAg+u0N79qw30NW46EIVvHswGxpvmg o4f0FInlJ4w= =vQjQ -----END PGP SIGNATURE-----